ima: use the lsm policy update notifier

Don't do lazy policy updates while running the rule matching, run the updates as they happen. Depends on commit f242064c5df3 ("LSM: switch to blocking policy update notifiers") Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Janne Karhunen <janne.karhunen@gmail.com> 2019-06-14 15:20:15 +0300
committer: Mimi Zohar <zohar@linux.ibm.com> 2019-06-14 09:02:43 -0400
commit: b169424551930a9325f700f502802f4d515194e5 (patch)
tree: 5b38bb996cfe6791c0c672a1576c198ed8c9599e /security/integrity/ima/ima_main.c
parent: 42df744c4166af6959eda2df1ee5cde744d4a1c3 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f16353b5097e..9e3ea8a3f2db 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -43,6 +43,10 @@ int ima_appraise;
 int ima_hash_algo = HASH_ALGO_SHA1;
 static int hash_setup_done;
 
+static struct notifier_block ima_lsm_policy_notifier = {
+	.notifier_call = ima_lsm_policy_change,
+};
+
 static int __init hash_setup(char *str)
 {
 	struct ima_template_desc *template_desc = ima_template_desc_current();
@@ -621,6 +625,10 @@ static int __init init_ima(void)
 		error = ima_init();
 	}
 
+	error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
+	if (error)
+		pr_warn("Couldn't register LSM notifier, error %d\n", error);
+
 	if (!error)
 		ima_update_policy_flag();
author	Janne Karhunen <janne.karhunen@gmail.com>	2019-06-14 15:20:15 +0300
committer	Mimi Zohar <zohar@linux.ibm.com>	2019-06-14 09:02:43 -0400
commit	b169424551930a9325f700f502802f4d515194e5 (patch)
tree	5b38bb996cfe6791c0c672a1576c198ed8c9599e /security/integrity/ima/ima_main.c
parent	42df744c4166af6959eda2df1ee5cde744d4a1c3 (diff)